This week, the rules to detect malware and APT activity from both our team and the participants of the SOC Prime Threat Bounty Program got into the spotlight. In digests, we try to draw your attention to interesting rules published over the past week. APT StrongPity by Ariel Millahuel https://tdm.socprime.com/tdm/info/lC2OEeruDxdg/fos3nHEB1-hfOQir9NI-/?p=1 StrongPity APT (aka Promethium) […]
Adversaries can mask malicious executables as images, documents or archives, replacing file icons and adding fake extensions to the file names. Such “crafted” files are often used as attachments in phishing emails, and this is a fairly effective way to infect Windows systems due to “Hide known file types extensions” option enabled by default for […]
Bladabindi backdoor has been known since at least 2013, its authors monitor cybersecurity trends and improve backdoor to prevent its detection: they recompile, refresh, and rehash it, so IOCs-based detection content is almost useless. In 2018, the Bladabindi backdoor became fileless and was used as a secondary payload delivered by njRAT / Njw0rm malware. The […]
An emergency security update for Sophos XG Firewall was released this Saturday. The update patches a zero-day SQL injection remote code execution vulnerability that is actively exploited in the wild. It allows cybercriminals to compromise Sophos firewalls via their management interface and deploy Asnarok malware. The Trojan steals the firewall’s license and serial number, user […]
The ‘Process Injection by Ursnif (Dreambot Malware)’ exclusive rule by Emir Erdogan is released on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/IIfltgwf9Tqh/piHTv3EBjwDfaYjKDztK/ Ursnif banking Trojan has been used by adversaries in various modifications for about 13 years, constantly gaining new features and acquiring new tricks to avoid security solutions. Its source code was leaked in 2014, and since […]
New community rule by Ariel Millahuel that enables detection of Buer loader is available on Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/5F93tXFdZmx9/ Buer is a modular loader that was first spotted at the end of last summer and since then this malware has been actively promoted on the underground marketplaces. Proofpoint researchers tracked multiple campaigns spreading Buer loader, […]
SOC Prime is presenting another interview with a participant of the SOC Prime Threat Bounty Developer Program (https://my.socprime.com/en/tdm-developers). We want to introduce to you Den Iuzvyk who published 60+ community rules of the highest quality and detection value during six months of his participation in the Threat Bounty Program. Read more interviews with content developers […]
SOC Prime brings to your attention a small digest of the latest community rules developed by participants of the Threat Bounty Program (https://my.socprime.com/en/tdm-developers). The digest includes 5 rules that help to detect Trojans and Hidden Tear Ransomware. In the future, we will continue to publish such selections of content to detect specific threat actors or […]
‘The Suspicious Command Line Contains Azure TokenCache.dat as Argument’ community rule by the SOC Prime team is available at Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/MzSiYeDJ9PvW/ The TokenCache.dat file contains the AccessKey for the current session and is stored as a plaintext JSON file. Any manipulations with this file via the command line may indicate an attempt to steal […]
+30% bonus on Threat Bounty Payout for March and Steady Income Generation on Threat Research in times of WFH and COVID19 “We are witnessing the cyber security industry transformation. Software has progressed from waterfall and kanban to agile processes and CI/CD. The discipline of threat detection engineering has evolved too. This became possible due to […]